How to Allow Specific Commands with Sudo in Linux

Sometimes, you might want to grant a user sudo privileges for only specific commands instead of full administrative access. This guide will show you how to do that easily. We will also provide an example and a test scenario to ensure it works correctly.

Granting command-specific sudo privileges allows a user to run only certain commands with superuser rights. This can enhance security by limiting the user’s abilities.

Note: Be careful while editing the sudoers file. Mistakes in this file can prevent you from using sudo, thereby locking you out of performing administrative tasks on the system.

Steps to Grant Sudo Privileges for Specific Commands

Follow these steps to grant a user sudo privileges for specific commands:

1. Open the sudoers file: Use visudo to safely edit the sudoers file:

   sudo visudo
   

2. Add Command-Specific Entry: Add a line specifying the user and the command they are allowed to run. For example, to allow the user tecadmin to reload the Apache service:

   
   tecadmin ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload apache2.service
   
   

   This line allows the user tecadmin to run systemctl reload apache2.service without needing a password.

   

3. Save and Exit: Save the changes and exit visudo. Typically, this is done by pressing Ctrl X, then Y, and then Enter.

Example: Granting Sudo Privileges for Specific Command

Let’s go through an example to grant sudo privileges to the user tecadmin for reloading the Apache service:

1. Edit the sudoers file:

   sudo visudo
   

2. Add the Entry:

   
   tecadmin ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload apache2.service
   
   

3. Save and Exit: Save the changes and exit visudo.
4. Switch to the User: To ensure the user has the correct sudo privileges, simply switch to user with su command.

   su - tecadmin
   

5. Run the Specific Command:

   sudo /usr/bin/systemctl reload apache2.service
   

   If tecadmin has the correct sudo privileges, the command will execute without asking for a password.

If the command executes successfully, it means the user tecadmin has been granted sudo privileges for the specific command correctly.

See the below screenshot:

You will notice that the “tecadmin” is able to reload Apache service as we configured in Sudoers but he is not able to restart the same service. That means the configuration is working properly.

Additional Command Example

Let’s add another example to allow the user tecadmin to update the package list:

1. Edit the sudoers file:

   sudo visudo
   

2. Add the Entry:

   
   tecadmin ALL=(ALL) NOPASSWD: /usr/bin/apt update
   
   

3. Save and Exit: Save the changes and exit visudo.
4. Switch to the User: The following command switches you to the user tecadmin.

   su - tecadmin
   

5. Run the Specific Command:

   sudo apt update
   

   If tecadmin has the correct sudo privileges, the command will execute without asking for a password.

If the command executes successfully, it means the user tecadmin has been granted sudo privileges for the specific command correctly.

Conclusion

Granting sudo privileges for specific commands in Linux is a great way to enhance security while still providing necessary access. By following this guide, you can easily set up command-specific sudo privileges for users on your system. Always test the configuration to ensure it works as expected.